From 85fadbfef32b08a30b82d7a12a5b2a70e3c63cfc Mon Sep 17 00:00:00 2001
From: Luke Towers <luke@luketowers.ca>
Date: Tue, 12 Nov 2019 12:32:17 -0600
Subject: [PATCH] Check user permission for the mediafinder formwidget.

Fixes #4216. Replaces #4669. Credit to @gergo85.
---
 modules/backend/formwidgets/MediaFinder.php | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/modules/backend/formwidgets/MediaFinder.php b/modules/backend/formwidgets/MediaFinder.php
index 3567b2e68..82a179694 100644
--- a/modules/backend/formwidgets/MediaFinder.php
+++ b/modules/backend/formwidgets/MediaFinder.php
@@ -1,7 +1,8 @@
 <?php namespace Backend\FormWidgets;
 
-use System\Classes\MediaLibrary;
+use BackendAuth;
 use Backend\Classes\FormField;
+use System\Classes\MediaLibrary;
 use Backend\Classes\FormWidgetBase;
 
 /**
@@ -63,7 +64,9 @@ class MediaFinder extends FormWidgetBase
             'imageHeight'
         ]);
 
-        if ($this->formField->disabled) {
+        $user = BackendAuth::getUser();
+
+        if ($this->formField->disabled || !$user || !$user->hasAccess('media.manage_media')) {
             $this->previewMode = true;
         }
     }